b'Annual Report, \xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2008 Report\nfrom the Office of Inspector General\xe2\x80\x9d (IG-08-031, September 30, 2008)\n\nThis annual report, submitted as a memorandum from the Inspector General to the NASA\nAdministrator, provides the Office of Management and Budget (OMB) with our\nindependent assessment of NASA\xe2\x80\x99s information technology (IT) security posture. For\nFY 2008, our audit included a review of 39 non-national security Agency systems and\n6 non-national security external systems. We also reviewed specific actions that the\nAgency took to improve IT security. Our review was in response to the Deputy Chief\nInformation Officer for IT Security\xe2\x80\x99s conclusion that IT security was no longer a material\nweakness that needed to be reported as such in the Administrator\xe2\x80\x99s annual Statement of\nAssurance. Progress made included closure of 91 percent of recommendations to\nimprove IT security made by the Office of Inspector General in FYs 2005 through 2007,\nestablishment of the IT Security Program Management Office, revisions to the incident\nmanagement program that included implementation plans for the Security Operations\nCenter, establishment of the Cyber Threat Analysis Program, and improvements to the\nAgency\xe2\x80\x99s compliance with FISMA requirements.\n\nBased on the work we performed, we agree that IT security is no longer a material\nweakness. However, while there is improvement in internal controls through\nestablishment of management programs and processes, we have not determined the\neffectiveness of these controls in reducing IT security threats. Whether management\nprograms and processes can effectively demonstrate results can only be determined over\ntime. The NASA OCIO should continue to report quarterly to the Senior Assessment\nTeam until these actions are fully implemented and demonstrating the desired results.\nThis should ensure continued focus on IT security deficiencies as well as ensure that\nsufficient management attention and adequate resources are provided. Therefore, we\nplan to again report IT security as a management and performance challenge in the\nAgency\xe2\x80\x99s FY 2008 Performance and Accountability Report.\n\nThe OMB\xe2\x80\x99s FY 2008 Report to Congress on Implementation of The Federal Information\nSecurity Management Act of 2002 includes information from our report. However, as an\n\xe2\x80\x9cIntra-Agency Memorandum,\xe2\x80\x9d our report is considered exempt from release under the\nFreedom of Information Act (FOIA); it also contains NASA Information Technology/\nInternal Systems Data that is not routinely released under FOIA. To submit a FOIA\nrequest, see the online guide.\n\x0c'